[00:32] <karlthane> Hello, trying to help test. Downloaded the current daily iso for 19.10, not giving option to install to zfs in installer. Is there something special I have to do. Sorry if this is wrong channel.
[01:01] <valorie> karlthane: try #ubuntu+1
[10:35] <caribou> Hello, I'm preparing an SRU upload of systemd for LP: #1805183. Anybody has something inflight on systemd ?
[14:01] <tomreyn> gnupg2 (as well as gnupg, i.e. v1) in bionic fails to handle keys without user ids, as provided by the (only, as far as i know) key spam safe openpgp server keys.openpgp.org, which most applications now default to.
[14:01] <tomreyn> so it's not currently possible to use a safe keyserver in bionic, from what i can tell.
[14:01] <tomreyn> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930665
[14:13] <TJ-> tomreyn: I find that vulnerabilty useful... as I have multiple IDs if the same email arrives for multiple IDs it gets deleted instantly by procmail
[14:18] <tomreyn> TJ-: well, that's not so useful to me ;)
[14:22] <TJ-> hehehe
[14:22] <TJ-> tomreyn: so is it no longer possible to search by userid to find a key?
[14:23] <TJ-> tomreyn: hmm, is that keyserver not connected to the pool? it doesn't find my key
[14:35] <tomreyn> TJ-: it is not connected to the SKS pool. are you aware of the signature spamming issues?
[14:36] <tomreyn> i just filed bug 1844055 about the above.
[14:38] <TJ-> tomreyn: you mean the email addresses being harvested for spam? Yes, seen it for a long time which is why I have procmail rules to block it
[14:39] <TJ-> tomreyn: hashes the subject and counts for all IDs in the keys
[15:03] <tomreyn> TJ-: no, i don't mean e-mail addresses harvested for spam. i mean the issue known as (variants of) OpenPGP certificate (key signature) flooding / spam. I added more context to the bug report now.
[15:09] <TJ-> tomreyn: ahhh, thanks, so adding lots of signatures to a key as a DoS because clients cannot cope with the quantity?
[15:12] <tomreyn> TJ-: yes, this sums up CVE-2019-13050, mitigation of which got deferred https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13050.html
[15:15] <TJ-> tomreyn: reading about the unmaintained 'toy' SKS software and the fact 2 key devs of openpgp have known about this for 10 years... I dispair!
[15:15] <TJ-> I despair, too!
[15:25] <tomreyn> yes, it's overall a sad situation. :/
[15:27] <TJ-> the argument 'no-one can understand the code' is a poor one though; that is always possible if sufficient time is applied
[15:37] <tomreyn> i wouldn't personally claim to be able to do so, not now, nor anytime soon. but certainly time, accompanied by other resources, such as knowledge and experience, money, could. the argument resting within this, that infrastructurally important or at least relevant software should be written in a widely understood programming language, accompanied by good documentation. (this said, i'm very grateful to kfiskerstrand and other contributors to
[15:37] <tomreyn> the SKS keyserver code and network over the years.)
[15:38] <tomreyn> s/within this , that/within this is that/
[15:38] <tomreyn> and we should move to -discuss.
[17:49] <karlthane> @valorie Thank You
[17:49] <udevbot> Error: "valorie" is not a valid command.
[17:49] <karlthane> valorie Thank you.
[17:59] <Eickmeyer> cyphermox: Still no movement on bug 184319?
[17:59] <Eickmeyer> Oh, wrong bug...
[18:00] <Eickmeyer> cyphermox: bug 1843196